2. The balanced scorecard (BSC) initially developed by Kaplan and
Norton, is a performance management system that should allow
enterprises to drive their strategies on measurement and follow-
up.
In recent years the BSC has been applied to information technology
(IT) and currently I have developed the first real-life IT Security
Governance application based on mapping ISO27001 control
objectives to COBIT4.1 process areas and IT Governance focus
areas.
In this article, it is shown how an exercise in instituting controls
can be used to establish the IT balanced scorecard (IT BSC) which
can be linked to business balanced scorecard (BU BSC) and in so
doing support the IT/Business governance and alignment
processes as derived from mapping ISO27001 and COBIT4.1
controls.
3. Kaplan and Norton (1992, 1993, 1996a, 1996b) have introduced
the balanced scorecard at the enterprise level. Their basic idea is
that the evaluation of an organization should not be restricted to a
traditional financial evaluation but should be supplemented with
measures concerning customer satisfaction, internal processes and
the ability to innovate. These additional measures should assure
future financial results and drive the organization towards its
strategic goals while keeping all four perspectives in balance. They
proposed a three-layered structure for the four perspectives:
mission (e.g., to become the customers’ most preferred supplier),
objectives (e.g., to provide the customers with new products) and
measures (e.g., percentage of turnover generated by new
products). The balanced scorecard can be applied to the IT function
and its processes as Gold (1992, 1994) and Willcocks (1995) have
conceptually described and has been further developed by Van
Grembergen and Van Bruggen (1997) and Van Grembergen and
Timmerman (1998).
4. In this article, we illustrate how a cascade of
scorecards can be instrumental in the
development of IT/business governance
processes and how this hierarchy of scorecards
can support the alignment of business and IT
strategy. The IT Development BSC and the IT
Controls/Operational BSC are introduced as
enablers for the Strategic BSC, that in turn is the
enabler of the Business BSC.
The governance is established through
compliance to standards and control objectives.
5. Business BSC IT Strategy BSC
IT Development
BSC
IT Controls/
Operation BSC
6. IT governance is part of corporate governance and has to
provide the organizational structures to enable the
creation of business value through IT, the assurance that
there are no IT investments in bad projects and that there
are adequate IT control mechanisms are established
through compliance to the control objectives of COBIT
and ISO27001.
The methodology of the Balanced Scorecard is a
measurement and management system that is very
suitable for supporting the IT governance process and the
IT/business alignment process.
Business unit/individual key performance indicators (KPIs)
can be developed from this exercise based on the
understanding, implementation and institution of these
control objectives with the compliance score as a criteria.
16. } Wim Van Grember presented at the European Conference on Information Systems (ECIS)
in 1997 and 1998 and at the Information Resources Management Association (IRMA)
Conferences in 1998, 1999 and 2000. He is Track Chair “IT Evaluation Methods and
Management” for the 2000 IRMA conference.
} Gold, C. “Total quality management in information services – IS measures: a balancing
act,” Research Note. Ernst & Young Center for Information Technology and Strategy,
Boston, 1992.
} Gold, C. “US measures — a balancing act”, Ernst &Young Center for Business Innovation,
Boston, 1994.
} Kaplan, R. and Norton, D. “The balanced scorecard —measures that drive performance,”
Harvard Business Review. January-February 1992, pp. 71-79.
} Kaplan, R. and Norton, D. “Putting the balanced scorecard to work,” Harvard Business
Review. September-October 1993, pp. 134-142.
} Kaplan, R. and Norton, D. “Using the balanced scorecard as a strategic management
system,” Harvard Business Review. January-February 1996a, pp. 75-85.
} Kaplan, R. and Norton, D. “The balanced scorecard: translating vision into action,”
Harvard Business School Press, Boston, 1996b.
} Van Grembergen, W. and Timmerman, D.“Monitoring the IT process through the
balanced scorecard,” Proceedings of the 9th Information Resources Management (IRMA)
International Conference, Boston, May 1998, pp. 105-116.
} Willcocks, L. Information Management. The evaluation of information systems
investments. Chapman & Hall, London, 1995.
} Oparaugo C. Conducted an ISO27001 self assessment for Zain Nigeria and developed a
balanced scorecard through COBIT from the exercise. – December 2008